next excerpt! @the-arkadian was laughing out loud from about halfway through this; that’s when I knew I was on the right track. please flag any historical or technical errors, or any particularly interesting wrinkles you think warrant mention.
You
just learned chemistry and the first thing you built was a giant bomb
and you can’t understand why it blew up in your face.
– brockchainbrockshize,
/r/ethereum1
Not
content with their existing sales of Internet fairy gold, some
Ethereum developers at German blockchain startup Slock.it came up
with an even more complicated scheme: The DAO (a Decentralized
Autonomous Organization, with “The” as part of the name). This
was a program running as a smart contract on Ethereum which would
take people’s money and give it to projects voted on by the
contributors as worth funding: a distributed venture capital firm.
The
DAO’s Mission: To blaze a new path in business organization for the
betterment of its members, existing simultaneously nowhere and
everywhere and operating solely with the steadfast iron will of
unstoppable code.2
Bold
in original. I’m sure there are no obvious problems there that jump
right out at you.
The
DAO launched
on 30 April 2016,
got massive publicity and became the
biggest crowdfunding in
history,
with
over $150 million in ETH
from
11,000 investors.
Fourteen
per cent
of all Ether
was in The DAO.
It
was also the most prominent smart contract of all time, achieving
much mainstream press coverage.
It
proceeded to illustrate
just about every potential issue that has
ever been raised with smart contracts.
The
DAO’s legal footing was uncertain (and widely questioned). Selling
tokens in The DAO closely resembled trading in unregistered
securities – particularly when DAO tokens themselves hit
cryptocurrency exchanges – and the SEC had come down on similar
schemes in the past. There was no corporate entity, so it would
default in most legal systems to being a general partnership, with
the investors having unlimited personal liability, and the creators
and the designated “curators” of the scheme likely also being
liable.
Shortly
before the go-live date, researchers flagged several mechanisms in
the design of The DAO that would almost certainly lead to losses for
investors, and called for a moratorium on The DAO until they could be
fixed.3
Worse,
on 9 June a bug was found in multiple smart contracts written in
Solidity, including The DAO: if a balance function was called
recursively in the right way, you could withdraw money repeatedly at
no cost. “Your smart contract is probably vulnerable to being
emptied if you keep track of any sort of user balances and were not
very, very careful.”4
This was not technically a bug in Solidity, but the language design
had made it fatally easy to leave yourself wide open.
The
principals
decided to proceed anyway, Stephen
Tual of Slock.it confidently declaring
on 12 June “No
DAO funds at risk following the Ethereum smart contract ‘recursive
call’ bug discovery”5
… and on
17
June, a
hacker used this
recursive
call bug
to drain $50
million from The
DAO. And
nobody could stop this happening, because the smart contract code
couldn’t be altered without two
weeks’ consensus
from participants. The price of ETH promptly
dropped
from $21.50 to $15.
(Tual
posted on 9 July a hopeful list of reasons why the attacker might
just give all the ether back,
just like that. Because it
would be in their rational self-interest.6
This didn’t happen, oddly
enough.)
Ethereum
Foundation principals discussed options including a soft fork or a
hard fork of the code or even of the blockchain itself, or a rollback
of the blockchain. The community wrangled with the philosophical
issues: this contract had been advertised as “the steadfast
iron will of unstoppable
code,”
but
it
appeared only one person had read the contract’s fine print in
sufficient detail.7
Some
seriously debated whether this should even
be
regarded as a “theft”, because
code is law and intent doesn’t matter
(unlike in real-world contracts operating in a legal system, or
indeed in fraud
law).
Others
merely
argued
that the integrity of the Ethereum smart contract system required
that incompetent contracts, which The DAO certainly was, needed to be
allowed to fail.
(The
proposed soft fork solution was to blacklist transactions whose
result
interacted with the “dark DAO” the attacker had
poured
the funds into. This would
have been
an avenue for a fairly obvious denial-of-service attack: flood
Ethereum with costly computations that end at the dark DAO. This
approach
could only have worked by first solving the halting problem.8)
The
DAO was shut down soon after, and on
20 July the
Ethereum Foundation — several
of whose
principals were curators
of The DAO9
and/or heavily
invested in it
— changed
how the
actual code Ethereum runs on interpreted their blockchain
(the “immutable” ledger) so as
to wind
back the hack
and
take back their money. The
“impossible” bailout had happened.
This
illustrated
the final major problem with
smart contracts: CODE IS LAW
until the whales are in danger of losing money.
Ethereum
promptly split into two separate blockchains, each with its own
currency – Ethereum (ETH), supported by the Ethereum Foundation,
and Ethereum Classic (ETC), the original code and blockchain –
because this was too greedy even for cryptocurrency suckers to put up
with. Both blockchains and currencies operate today. Well done, all.
Apologists
note that The DAO was just an experiment (a $150 million
experiment) to answer the question: can we have a workable
decentralized autonomous organization, running on smart contracts,
with no human intervention? And it answered it: no, probably not.
1 brockchainbrockshize.
Comment
on “Attacker has withdrawn all ETC from DarkDAO on the unforked
chain”. Reddit /r/ethereum, 25 July 2016.
2 The
DAO front page, archive
of 22 June 2016. Yes, that’s after
the hack. The page doesn’t say that any more.
3 Dino
Mark, Vlad Zamfir, Emin Gün Sirer. “A
Call for a Temporary Moratorium on The DAO”. Hacking,
Distributed (blog), 27 May 2016.
4 Peter
Vessenes. “More
Ethereum Attacks: Race-To-Empty is the Real Deal”. Blockchain,
Bitcoin and Business (blog), 9 June 2016.
5 Stephen
Tual. “No
DAO funds at risk following the Ethereum smart contract ‘recursive
call’ bug discovery”. blog.slock.it, 12 June 2016. (archive)
6 Stephen
Tual. “Why the DAO robber could very well return the ETH on July
14th”. Ursium (blog), 9
July 2016. (archive)
7 There’s
an amusing (if probably just trolling) open letter purportedly from
the attacker posted to
Pastebin (archive) that
makes this claim explicitly.
8 Tjaden
Hess, River Keefer, Emin Gün Sirer. “Ethereum’s
DAO Wars Soft Fork is a Potential DoS Vector”. Hacking,
Distributed (blog), 28 June
2016.
9 Stephen
Tual. “Vitalik
Buterin, Gavin Wood, Alex van De Sande, Vlad Zamfir announced
amongst exceptional DAO Curators”. blog.slock.it, 25 April
2016.